On package update, recognize and inform users if an installer script has not changed

[KirkMunro]

Whenever I install or update packages using choco, I always review the installation scripts. This becomes very tedious on updates, because often the script itself does not change at all -- the bits that are installed change, which may mean some file names/URLs have changed, but the script that does the installation does not change, so I end up reviewing the same code over and over again, and that's just something to make my eyes glaze over and I may miss something important.

It would be very helpful if choco, on update, could recognize if a given script did or did not change since the last version of the package was installed, and notify me appropriately. Presumably if I trusted the script before, I trust it still, especially if it did not change. This way my choco updates would be much easier to review/approve, and I could focus my attention on scripts that actually changed when I update installed packages.

[vexx32]

Would be very cool to have a basic diff display if needed for install scripts that have changed. 🤔

[ferventcoder]

Thanks for writing that up!

[majkinetor]

This is nice security idea, might not be so trivial to implement tho. It could also be implmented as PoC outside of choco, by for example hooking cup bat script.

For example, in cup.bat

• download package and put it in the TEMP choco path so that next real cup could just use it without redownloading
• unpack it and diff it with current one
• determine how to analyize differences - diff could be used and/or other things such as number of lines, or total size changed more then X bytes, similarity compare etc. This wont be trivial to done 100% correctly but it could be better then nothing - for example by refusing to install when total number of lines changed it will prevent majority of cases (if one wanted to avoid it it would have to add changes to single lines in which case the size may change more dramatically as automatead changes do not usually produce large changes).
• if its ok, continue to run rest of cup script, complain and/or abort.

It would be very helpful if choco, on update, could recognize if a given script did or did not change since the last version of the package was installed, and notify me appropriately.

Notify is one option but leaving it only one is meh. Cup should have option to abort install of changed packages until run with force or something.

[KirkMunro]

I wonder if tying in a PowerShell Gallery here would help. Scripts are versioned in the Gallery, downloadable from a Gallery, and Choco could leverage the public one or offer its own. Just thinking an idea out loud.

Leveraging a gallery and isolating installer scripts could also help for installers that use a boilerplate shared script, passing in a JSON payload that defines what to install into a script that they download.

[majkinetor]

I don't like it, many do not use gallery.

[TheCakeIsNaOH]

This could be included as an extension without too much difficulty if https://github.com/chocolatey/choco/issues/1911 is implemented.